Closed BabiKoqi closed 3 years ago
Hi,
Your issue lies within the fact that this is a modded version of KoiVM. In particular, the sample contains a modded version of KoiVM that attempts to conceal the constants that configure the virtual machine.
OldRod detects all constants by locating the static class that defines them, and then attempts to read out the CIL code of the class constructor (.cctor). In your sample, the .cctor (0x06000426) is obfuscated with some arithmetic obfuscation, resulting in Old Rod not being able to successfully extract the information it needs. You will probably have more success cleaning this up first, or disabling the auto detection of constants and providing one yourself using the --config
option (see example-config.json)..
I've seen a few reports about this, perhaps it is time to incorporate a slightly better autodetection mechanism.
I have to say that this is not a koiVM protected file. If you look deeply into VM.VM in .cctor, you will see that there is no VM at all. Its just namespace KoiVM.Runtime. Its accualy confuserEx mod by Bed. aka Beds Protector. Link is here: https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed
The reason why am i saying this is that this is not an oldrod bug, and it shouldnt be opened because its ConfuserEx instead of koiVM.
Hello, I was trying to devirt this application when this Error occurred. Here are the files & verbose.
verbose.txt NightCheckerRelease.zip